We scanned the script using Fortify and errors with category: Header Manipulation: Cookies and they are pointing to this code inside remove method implementation:
document.cookie=a+"=;expires="+b.toGMTString();document.cookie=a+"=;expires="+b.toGMTString()+"; path=/";
Release : 9.1
Component : AuthMinder(Arcot WebFort)
Our recommendation is to apply the patch DE537482_hotfix (arcotjsclient_jso.js) to resolve this issue.